Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:40 AM
Connect Directly

RFID Security Service, Tools on Tap

New audit service and appliance to target RFID customers looking to lock down their systems

PacketFocus next week will launch one of the industry's first commercial RFID security auditing services -- and it's building an RFID security appliance as well, Dark Reading has learned.

RFID security has landed front and center during the past few months, with researchers demonstrating the ease of passport-hacking, card-cloning, and SQL injection attacks on RFID systems. Even so, many organizations still run less-secure, early-generation RFID systems, and do little to secure them. (See RFID Under Attack Again, Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)

PacketFocus's new RFID security auditing service will identify policy and procedures for RFID, as well as check out reader and tag security, and how they are configured. "We'll look at passwords, RFID middleware, and how readers communicate with the middleware," says Joshua Perrymon, PacketFocus's CTO. "The service highlights potential vulnerabilities. You need to know what kind of risk you have in your network once you've brought RFID in."

Perrymon expects input validation -- filtering out irrelevant characters -- and how RFID tags and readers handle passwords to be the main weak spots the audits will detect, as well as any policy and procedures an organization has or has not configured, he says. PacketFocus will offer the RFID security auditing service under a under a new division called RFID Audit Group, he says.

Meanwhile, it's also developing an RFID security appliance that detects and reports attacks, called RF Defender, he says. The appliance, which will be priced between $40,000 and $50,000, will sit with the RFID reader, and can be used in both access-control and supply chain-type RFID environments, he says.

"The appliance has multiple sensors and integrates into the RFID environment. We not only look at the RFID reads, we correlate with the middleware and other layers to provide a holistic view of the RFID system. This allows us to correlate events and detect attacks in-depth," he says. The product will detect denial of service, and password-type attacks, for instance.

Perrymon, who says RF Defender won't be officially announced for a couple of months, acknowledges that the RFID security market is still young. "I know it's not huge right now, but it will be very huge in a couple of years."

The ultimate goal of the new RFID security auditing service, he says, is to flip-flop the conventional wisdom of going operational before securing the system: "We're going to do security before going operational."

RFID security expert Adam Laurie says RFID security auditing makes sense. "There's a need for it. At the moment it seems the industry has put blind faith in" RFID, he says. "I think this would be for people to be made aware of what actually are the potential security issues... And the sooner they are addressed, the better."

PacketFocus joins a relatively deserted RFID security market with few suppliers. Netherlands-based Riscure does RFID security testing, for instance, and there's a research project in Europe called RFID Guardian, an RFID firewall.

But Laurie, who at Black Hat Europe showed how it was possible to reprogram RFID tags and duplicate a legitimate user's building cardkey using code based on his RFIDIOt tools, says RFID devices such as a firewall may be overkill. "I think a lot of these are like using a sledgehammer to crack a nut."

Chris Paget, director of R&D for IOActive, says an RFID firewall or similar approach, may be irrelevant: "If the card in your pocket is insecure, there's not a lot you can do to protect the system. No matter what you do with it, it cannot be trusted," he says. Meanwhile, he says, he's interested in learning more about PacketFocus's RF Defender appliance's features.

PacketFocus expects the supply chain sector in automotive, pharmaceuticals, large retail, and the Defense Department to be the biggest draw for its RFID security audit service initially. Perrymon made sure the service syncs with the National Institute of Standards and Technology's (NIST) Guidelines for Securing Radio Frequency Identification Systems announced last month, which is aimed at retailers, manufacturers, hospitals, federal agencies, and companies that use RFID in their supply chains.

"NIST doesn't [address] RFID access control," Perrymon says. "But the beauty of [our service] is you can apply it to anything," including building-access systems.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IOActive
  • National Institute of Standards and Technology (NIST)
  • PacketFocus Security Solutions
  • Riscure BV
  • RFID Guardian Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
    Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-22
    cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
    PUBLISHED: 2019-11-22
    nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
    PUBLISHED: 2019-11-22
    A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
    PUBLISHED: 2019-11-21
    An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
    PUBLISHED: 2019-11-21
    An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.